t-grcs › wp-content › uploads › 2020 › ... · addressing uncertainty while achieving their...

T-GRCS

The enterprise solution to manage governance, risk and compliance

TOSMS GRC SOLUTION

)UK(

digit ise | integrate | automatep. 2

A B O U T T- G RC S

T- G RC S K E Y D I F F E R E N T I ATO R S

B U S I N E S S B E N E F I T S

S O L U T I O N OV E R V I E W

S O L U T I O N F U N C T I O N A L I T Y

T E C H N O LO G Y OV E R V I E W

I M P L E M E N TAT I O N A P P ROAC H

P R I C I N G

C O N TAC T U S

4

5

6

8

1 4

2 4

2 5

2 6

2 7

CONTENTSABSTRACT

We have answered the call of our clients to deliver a fully integrated solution for the Governance, Risk and Compliance (GRC) functions in an organisation.

This brochure explains how we have taken the key functions in the GRC operations of a company and translated them into a workflow model that delivers a portfolio of 30 GRC services across the company. We have then codified this into a set of 12 modules that we cover in this brochure. This delivers the system capability for enabling the services and providing a fully digitised, integrated and automated solution for the GRC functions in the organisation.

Intellectual Property Notification:

The content contained in this brochure is the intellectual property of Tim O’Hanlon. It has been provided to you for your information only, and may not be used, copied, reproduced, distributed, broadcast, displayed or otherwise exploited for any other purposes without prior consent of the author.


Our vision is to revolutionise the GRC landscape by unlocking significant value for our clients and creating a world in which organisations can act with integrity in addressing uncertainty while achieving their objectives.

We do this through our focus on delivering pragmatic solutions to the challenges faced by organisations while creating lasting relationships with our clients based on integrity and performance.

Our solutions are intuitive, easy to implement, compatible and completely scalable.

Each of the applications in the toolbox operates individually within the fully integrated enterprise solution, resulting in minimal disruption and maximum benefit, should you decide to incrementally implement the full enterprise solution in whatever configuration you choose.

Our enterprise solution comprises a GRC Standard and enabling Toolbox of applications underpinned by an enterprise platform with its relational database.

Our solution reduces the cost, complexity and risk to business through digitisation, integration and automation of key workflow functionality in the GRC operations of a company.

We have a GRC workflow model that defines the functionality that our solution provides. This functionality is delivered through a portfolio of 30 GRC services that this functionality sorts under.

T-GRCS empowers people and organisations to make better decisions faster when it comes to managing the risks to their operations. We do this through command and control of the company’s risks using smart, real-time, online maintenance, monitoring, reporting, remediation and change control delivered via the system.

A Governance, Risk & Compliance solution that reduces costs, complexity and risk

Chris Harvey, Director, Governance, Legal and Compliance, Swiss Multinational Bank

“The combined roll-out team from the two companies is continuing to provide an exceptional level of expertise that provides the bank with peace of mind that the obstacles that such a programme will encounter along the way are dealt with in an informed and highly professional manner.”

We are implementing our solution for the bank using agile with an incremental roll-out of key GRC functionality for high risk legislation.

ABOUT T-GRCS

T-GRCS is transforming the way companies do GRC. Backed by our world class enabling software, our revolutionary approach to GRC significantly reduces cost, complexity and risk, helping the enterprise achieve optimal performance. Whether you are looking to transform your entire GRC operations or just want to enhance your capabilities in a specific area, T-GRCS has a solution tailored to your needs.

GRC Standard

Our ground-breaking GRC Standard helps you to:

• Analyse your current operations against our GRC benchmark with its portfolio of 30 GRC services;

• Establish change opportunities where reductions in cost, complexity and risk can be achieved;

• Provide support for your organisation during the transition to the new benchmark;

• Deliver continuous improvement, through ongoing assessment of the effectiveness of your organisation’s risk defenses and by adding controls that are missing and fixing those that are not operating optimally; and

• Master the complexities of change and configuration control across all key GRC variables that represent an exposure to the company, so that sustainable solutions can be assured.

A world class approach that is revolutionising GRC

Enterprise platform and relational database

T-GRCS offers an enterprise platform with relational database that incorporates a GRC Integration Hub for merging all a company’s existing GRC content in FinTech and RegTech applications, including its enterprise platforms, to provide the necessary single reference point for all content required to be processed by its GRC operations for control of the company’s risk.

Toolbox of integrated applications

The GRC Toolbox holds the many applications that operate individually and in any combination within a fully integrated enterprise design to digitise, integrate and automate the 30 GRC services. These applications can be found in the various modules that make up the T-GRCS solution.

Portfolio of 30 digital service offerings

The GRC Standard comprises a vast range of functionality that sits within a portfolio of 30 GRC services. These have been grouped into the four stages of a client’s digital transformation journey as follows:

• Digitising core GRC content;• Integrating and automating GRC

functionality; • Resolving future GRC change impacts; and• Embarking on a GRC digitisation journey.

KEY DIFFERENTIATORS


Optimise performance

By integrating the GRC capabilities, T-GRCS allows the organisation to establish cohesive strategies that lead to optimised performance in keeping the company on track.

Reduce cost

Because the solution is intuitive, easy to implement, compatible and completely scalable it provides total flexibility and extensibility. Flexibility means interchangeable components are easily replaced without rework in other areas. Extensibility means you can integrate future components with ease.

Flexibility + Extensibility = Lower Cost

Improve efficiency and prevent duplication

A centralised data repository dramatically boosts efficiency by providing the right information to the right people and eliminating duplication of effort in data entry.

Achieve better information quality

The solution provides a common framework of how GRC functions and governance structures work together to input, process and distribute vital information to govern the company, leading to improved quality and reduced redundancy.

Integrate with existing systems

T-GRCS’s underlying architecture and REST API integration layer ensure ease of integration with other client systems using its Integration Hub.

Our radical approach to doing GRC right gives you the freedom to scale as you need based on what you can afford, supporting you every step of the way, ensuring that you achieve your transformation objectives with minimal interruption to the operations and within budget. It has the power to help you better anticipate and manage risk, reduce complexity, improve decision making, and ultimately decrease the cost of governance, risk and compliance operations.

Now is the time to seize the moment and realise the many benefits that T-GRCS has to offer

BUSINESS BENEFITS

Improve change control

Digitisation is paving the way for smart integration and automation, providing the keys to address the biggest change control challenges faced by the organisation.

Achieve greater consistency and repeatability in processes

Take advantage of the benefits brought about by the unified vocabulary, defined components and data elements, defined information requirements, standardized policies and training practices and defined communication paths for all involved; including key decision makers.

Access to expertise

T-GRCS gives you access to some of the best minds in the world when it comes to implementing holistic GRC solutions. We have decades of experience in IT, engineering, legal, GRC and organisational transformation. The result is a unique and powerful team of experts that harness technology to improve decision - making, reduce risk and unlock business value.

Improve speed and agility in gathering information

Improved business agility lets you react to new opportunities quicker because of the speed with which you are able to consider risk and compliance information in the system, giving you the edge over your competitors.

Early warning system

Our solution enables you to introduce preventative maintenance routines and effective defense mechanisms as a result of the powerful monitoring capabilities offered by the Early Warning Advance Controls.

Optimise Legal Contributions

In managing the GRC operations in a company, there is a considerable investment in legal input that gets produced to help protect the interests of the business. Our solution dedicates an entire module to delivering the functionality that harnesses this valuable contribution, keeps it under change control and ensures it is accessible whenever it is required, whether it is for due diligence purposes in defending the company’s position in a court of law or for providing expert interpretations to guide the company’s direction in the management of its risk.

Improve the level of detail

Our contention is that the devil is in the detail when dealing with risk mitigation. Through the transition to digitised, integrated and automated GRC operations, there is an increased processing capability. This is driven by the system that caters for a greater level of granularity in the detail able to be processed without placing any additional burden on staff.

p. 8

T-GRCS is a revolutionary new solution for managing Governance, Risk and Compliance. It comprises a GRC Standard and enabling Toolbox of applications that provides for the digitisation, integration and automation of essential GRC functionality across an enterprise.

To understand the functionality in our solution, we need to share our GRC Workflow Model as it is the benchmark we have created to define what GRC is. Every client will have different processes, records, systems and roles that make up their GRC operations so we provide a standard model for comparison purposes to show where the key differentiators are that will add value. A simple representation of this model is shown in Figure 1.

GRC Workflow Model

The GRC Workflow Model is important as it provides the logic we have used to unpack what our solution delivers. All the functionality that the system provides comes from digitizing, integrating and automating the key GRC workflow operations. To help compare what we offer, we have sorted this functionality into a set of 30 GRC services that map directly to the workflow model. A simplified version of the GRC Workflow Model showing where the 30 GRC services fit in is provided under Solution Functionality in Figure 3.

Figure 1: The GRC Workflow Model Simplified

As mentioned earlier, Figure 1 provides a simplified breakdown of the key components that make up our workflow specification. By reading the descriptions in the sequence in which they are numbered in the diagram, you will get an idea of how the workflow model works, with insights into the role the system plays and exposure to unique terminology we have created as part of our GRC Standard.

Given the extensive nature of our standard with it terminology, there is a need to explain it in more detail than we are able to in the brochure, so we would welcome the opportunity to present you with more details in a follow-up presentation.

Next to Figure 1 you can see the various T-GRCS modules that are associated with each of the components in the workflow diagram. It should now start becoming clear that you are looking at a comprehensive solution that has been designed to deal with every aspect of GRC.

Also, just to elaborate further, there are numerous sub-modules that drive each of the modules shown here. Details of the modules shown are provided over the page. As mentioned earlier, being able to see what GRC covers in our model and how the various modules support it makes it easier for clients to compare this picture to what they already have in place to see where potential benefits lie. This is helped further by the details we provide on the 30 GRC services - see Solution Functionality later for examples.

A unique framework of thirty GRC services that make up the full spectrum of GRC workflow functionality

SOLUTION OVERVIEW

RISK ESCALATION

The PARA Monitoring Cycle provides escalation responses from the Early Warning Advance Control triggers. They are fed up the line to the appropriate management forums as part of the Risk Escalation and Reporting Framework. Management Action Plans are agreed and tracked via the My Comply monitoring dashboards.

GRC STAKEHOLDERS

Various GRC stakeholders are responsible. They are registered as Governance Controllers )GCs( and have Automated Standard Compliance Procedures )ASCPs( as part of a Three Lines of Assurance GRC Accountability Model. This creates an expert system that reduces human error and dependency on experts.

RISK RESPONSE

ASSESS, INTERPRET and FIX are the three modules that drive the responses to vulnerabilities from non-compliance. Gaps in business operating models are assessed, business controls are set up or re-engineered and Preventative Maintenance Routines, Automated Standard Compliance Procedures and training realigned.

BUSINESS RISKS

Risk triggers create vulnerabilities. These can be external or internal and cover numerous categories of risk that companies use Enterprise Risk Management systems to control. T-GRCS interfaces with these systems to provide a fully integrated GRC solution using Application Programming Interface Technology.

Figure 1: The GRC Workflow Model Simplified Enabling Modules

GRC INFORMATION PROCESSING

There are over 1000 fields called data elements that make up the relational database with complex relationships and dependencies designed into the architecture of the underlying platform. There are 30 GRC services that they rely on in any combination as a result of the flexible design.

THE MONITORING CYCLE

There is a Plan- Action-Review-Attest )PARA( Monitoring Cycle that delivers the GRC Monitoring Programme )P(, Early Warning Advanced Control triggering )A(, review of Business Controls and their Preventative Maintenance Routines )R( and Combined Assurance by Governance Controllers )A(.

INTERNALISING GRC

Companies need to make sure they are able to demonstrate how they have internalised the obligations that come form regulations. It is a key issue for regulators and government bodies. This entails mapping internal governance documentation to high-risk obligations. We use our I-UNPACK module to do this mapping.

2

1

4

6

3

5

7

MY

?

MY COMPLY

FORMS FACTORY

ASSESS

INTERPRET

FIX

COMPLY E-UNPACK

T-RMS I-UNPACK

T-PIMS GRC LIBRARY

MONITOR

digit ise | integrate | automate

p. 10

COMPLY A Regulatory Universe Register of all GRC risk requirements that the company must comply with, kept up to date and linked to the business controls in every entity that are constantly monitored. Includes change control of business operating models and management of regulatory alerts.

?

MONITORGovernance Controllers (GCs) within the Three Lines of Assurance GRC Model, with pre-defined Automated Standard Compliance Procedures and Preventative Maintenance Routines, drive a GRC Plan-Action-Review-Attest programme. Includes dashboards and automated tracking of deliverables.

FIXThe output from analysis is used to create, track and report on Management Action Plans to fix gaps where the risk warrants corrective action. Includes use of the GRC Component Breakdown Structure as part of the Integrated Governance Framework for tracking and keeping a history of all work carried out in any part of the GRC operation.

INTERPRETResolution of practical interpretation issues raised during entity-level analysis. The output is a Register of Rulings that is the company’s central reference for how to interpret GRC requirements, with a log of inputs that led to each ruling providing a record of due diligence if challenged.

ASSESSTwo pre-configured sets of questions to analyse GRC requirements, with the choice of a high level assessment or detailed analysis depending on the level of granularity required. Provides a compliance risk baseline for driving changes supported by full integrated reporting and change control.

As can be seen in the GRC Workflow diagram in Figure 1, there are twelve modules in our Toolbox that provide the functionality to manage this workflow model. They are made up of 5 main modules and 7 accessory modules that are described as follows:

T-GRCS Main Modules

SOLUTION OVERVIEW


T-RMS (Records Management Solution)Applying GRC rules at transactional level to targeted records through application programming interface technology within a bespoke integration architecture.

GRC LIBRARYA central repository under change control to provide easy access with search engine capabilities and a filing structure to manage all GRC documentation.

MY COMPLY Each Governance Controller has the MY COMPLY application on their desktop that includes their Automated Standard Compliance Procedures and all associated GRC tasks and notifications.

GRC FORMS FACTORYA central repository under change control to provide easy access and to manage all standard GRC templates, including those for internal and external reporting.

I-UNPACKMapping high risk Detail Level Requirements (DLRs) from external GRC statutory reference documents to internal governance documentation including policies, standards, operating manuals and guidelines.

E-UNPACKConverting all relevant clauses from external GRC statutory reference documents into Detail Level Requirements (DLRs), logically grouped by workstreams with full audit trail details and change control.

T-PIMS (PRSR Inventory Management Solution)Mapping processes, records, systems and roles )PRSRs( to GRC requirements and keeping them up to date for managing Business Operating Model changes in an organisation.

MY

T-GRCS Accessory Modules

p. 12

To manage the enormous volume of GRC information that is constantly being processed by T-GRCS, we have designed a relational database using the key building blocks shown in the adjacent diagram.

Each building block fulfills a key role in delivering the required meta data and relationship specifications for the thousands of fields that make up the full data architecture for our GRC solution. An in-depth knowledge of the GRC workflows and data processing being carried out is an essential prerequisite for setting this model up. We have spent many years perfecting this architecture that provides the bedrock for our revolutionary approach. Two of the building blocks are shown with the data sets that make up these areas of the database.

REGULATORY UNIVERSE

External standards, regulations and other external reference documents that govern the company are risk assessed and prioritised

DETAIL LEVEL REQUIREMENTS (DLRs)

Extracted requirements are logically grouped into workstreams and risk assessed against every entity impacted

BUSINESS CONTROLS

Functional gaps in the operation arising from high risk DLRs are resolved through internal & external Business Controls made up of Organisational Design Elements )Processes, Records, Systems and Roles(

MONITORING & MAINTENANCE

Management of the Plan-Action-Review-Attest monitoring & reporting cycle using the Three Lines of Assurance GRC framework and risk / compliance scoring and rating models

REGULATORY CHANGE CONTROL

Control of all changes to the Regulatory Universe Register and their knock on effect to DLRs, business controls, organisational design elements, training and the various types of governance documentation

Relational Database Building Blocks

SOLUTION OVERVIEW

REGULATORY

UNIVERSE

MONITORING &

MAINTENANCE

TOSMS

SOLUTION

REGULATORY

CHANGE

CONTROL

DETAIL LEVEL

REQUIREMENTS

(DLRs)

BUSINESS

CONTROLS

GRC

Figure 2: The Five Building Blocks Of T-GRCS

• Business Control Requirement Specifications• Regulation)s( Applicable • Regulatory Obligations (DLRs) Applicable • Business Operating Model)s( Impacted• Functional Gaps in Operating Models• Process, Record, System and People Role

Change Specifications • Governance Documentation Applicable• Business Control Owner Details• Standard Compliance Procedures per Owner • Business Control Compliance Scores and

Ratings• Operational & Design Effectiveness Details• Business Control Training Details• Capture Details• Change History

• Regulation Details• Business Entities Impacted• Inherent Risk Impact and Likelihood Details• Inherent Risk Scores and Ratings • Compliance Ratings• Overall Effectiveness Scores• Details of Rationale for Effectiveness Scores• Residual Risk Impact and Likelihood Details• Residual Risk Scores and Ratings• Governance Documentation • Training Details • Owner Details for each Regulation• Standard Compliance Procedures per Owner • Capture Details• Change History

Example Datasets


p. 14

Maturity Assessment And Proof Of Concept

For clients to determine what improvements can be provided by our solution, we have taken our workflow model and created a list of all the GRC functions that our solution provides – there are a total of 30 services these functions sort under. This creates a checklist that can be used to carry out a Maturity Assessment on the GRC services that a client has in place and how they compare to the level of sophistication provided by T-GRCS. Arising from this assessment, we would provide clients with a plan for carrying out a Proof of Concept for those areas that have the best return for the client. This is a great way of seeing our solution in action where it can help the most.

Figure 3: The Portfolio Of 30 GRC Services

To illustrate the nature of the functionality provided by our GRC solution we have mapped the portfolio of 30 GRC services to our GRC Workflow Model as shown in the adjacent simplified diagram.

We have also grouped the 30 services into the four stages a client’s digitisation efforts fall into as follows:

A Digitisation of Core GRC Content )7 services(;B Integration and Automation of GRC Functionality (14 services);C Resolving Future GRC Change Impacts )6 services(; andD Embarking on a GRC Digitisation Journey )3 services(.

As the list of services shown in the diagram are made up of simple labels, they are not self-explanatory. Over the page, we have provided a summary of each service that provides a high level view of what each one entails.

SOLUTION FUNCTIONALITY

GMP: GRC Monitoring ProgrammeRU: Regulatory UniverseEWACs: Early Warning Advance ControlsRegs: RegulationsDLRs: Detail Level Requirements

List of Acronyms:PRSROs: Processes, Records, Systems, Roles and OtherPMRs: Preventative Maintenance RoutinesGov Docs: Governance DocumentationGCs: Governance ControllersASCPs: Automated Standard Compliance Procedures


RISK ESCALATION

GRC-POS 19 ForumsGRC-POS 22 RU ChangesGRC-POS 23 Alerts

GRC STAKEHOLDERS

GRC-POS 28 GRC StrategyGRC-POS 29 CapabilityGRC-POS 30 Initiatives

RISK RESPONSE

GRC-POS 24 AnalysisGRC-POS 25 RulingsGRC-POS 26 New ControlsGRC-POS 27 EWACs

BUSINESS RISKS

GRC-POS 17 Integration

Figure 3: The Portfolio of 30 GRC Services Enabling Modules

GRC INFORMATION PROCESSING

GRC-POS 01 Regs & DLRsGRC-POS 02 ControlsGRC-POS 03 PRSROsGRC-POS 04 PMRsGRC-POS 05 Gov DocsGRC-POS 06 GCsGRC-POS 07 ASCPs

THE MONITORING CYCLE

GRC-POS 08 RU Register GRC-POS 11 GMPGRC-POS 12 GMP ReviewGRC-POS 13 DisruptorsGRC-POS 14 DashboardGRC-POS 15 ReportingGRC-POS 16 HUBGRC-POS 18 TasksGRC-POS 20 AssistantGRC-POS 21 Forms

INTERNALISING GRC

GRC-POS 09 LibraryGRC-POS-10 Doc Mapping

2

4

6

3

5

7

MY

?

MY COMPLY

FORMS FACTORY

ASSESS

INTERPRET

FIX

COMPLY E-UNPACK

T-RMS I-UNPACK

T-PIMS GRC LIBRARY

MONITOR

1


This summary provides a brief description of each service to help clients quickly establish the full scope of the GRC services we provide and select the ones they would like to find out more about. We have a separate brochure for each service that can be provided.

DIGITISATION OF CORE CLIENT GRC CONTENT

GRC-P0S-01: Digitise Regulations & Detail Level Requirements (DLRs)

Key regulatory details, made up of company external obligations such as legislation and international standards, are digitised and logged in a Regulatory Universe )RU( Register. High-risk regulations are unpacked to identify all obligations and create Detail Level Requirements (DLRs) that are logically grouped into themes for streamlining business controls.

GRC-P0S-02: Digitise Business Controls

Controls are the cornerstone of risk remediation. There are complex relationships between gaps in business operating models that raise risk levels and the Processes, Records, Systems and Roles )PRSRs( that are applied to controls to resolve these gaps. Our service captures the specification for each control and takes care of this integration complexity.


PORTFOLIO OF 30 SERVICES -

SUMMARY

GRC-P0S-03: Digitise Processes, Records, Systems & Roles (PRSRs)

Organisational Design Elements )ODEs( that are made up of Processes, Records, Systems and Roles )PRSRs( are captured and kept under change control because of their vital association with business controls. This information is essential when carrying out a regulatory change gap analysis.

GRC-P0S-04: Digitise Preventative Maintenance Routines (PMRs)

Our GRC Standard applies a combination of engineering and quality management principles to achieve sustainable GRC solutions by using our revolutionary Preventative Maintenance Routines )PMRs(. These are purpose-designed for each business control to manage risk prevention.

GRC-P0S-05: Digitise Governance Documentation

Governing Bodies of companies need to see how high-risk regulations are internalised so this is a vital service for capturing clients’ governance documentation in a consolidated state ready for mapping digitally. This includes, policies, operating manuals, internal standards, procedures, etc.

GRC-P0S-06: Digitise Governance Controller (GC) Details

Our GRC Standard has various roles for covering the full ambit of GRC accountabilities and these all belong in a group called Governance Controllers )GCs(. Our service sets

up the Combined Assurance framework with GC details to manage these accountabilities.

GRC-P0S-07: Digitise Automated Standard Compliance Procedures (ASCPs)

One of the most important tools for helping GCs do their job is an expert system for them to rely on that removes the human element as far as possible and reduces the risk of human error. To harness this tool, our service captures every duty of every GC in what the GRC Standard terms Automated Standard Compliance Procedures. These ASCPs work in conjunction with the PMRs for each control covered in GRC-POS-04.

INTEGRATION & AUTOMATION OF CLIENT GRC FUNCTIONALITY

GRC-P0S-08: Provide a Digitised Current Regulatory Universe (RU) Register

This service helps clients by taking the

thousands of records, associated with their many current regulations and extracted DLRs, and providing the processing of this data into a multitude of different views - such as heat maps per business unit for inherent and residual risk, content groupings e.g. Data Privacy and AML, jurisdictions, etc. This service supports various types of GRC Risk Management Plans in conjunction with GRC-POS-12.

GRC-P0S-09: Provide a Digitised GRC Library

We help clients consolidate into a central library all regulations and other digitised GRC external reference documents, along with their internal governance documentation, to create a sizeable knowledge base with considerable value including instant access to information from smart categorization and filing, search engine capabilities and version control.

GRC-P0S-10: Provide Governance Documentation Mapping to High-Risk DLRs

Governing Bodies of companies need to demonstrate to Regulators that their regulations have been internalised and to do this our service audits the links between

all high-risk DLRs in the regulations and the internal governance documentation of the company through a mapping process. This service works in conjunction with GRC-POS-05 and GRC-POS-09.

GRC-P0S-11: Provide a Digitised GRC Monitoring Programme (GMP)

The GRC Monitoring Programme )GMP( is like the service manual for your car, made up of a set of digitised Preventative Maintenance Routines )PMRs(, derived from all the controls, and a schedule of how often they must be performed and by who, in order to achieve an error-free experience. Our GRC Standard has a PARA Monitoring Cycle of Plan-Action-Review-Attest and this is the Plan step that generates and maintains the GMP.

GRC-P0S-12: Provide Reviews of the GRC Monitoring Programme (GMP)

One of the main reasons for needing to do reviews of the GMP is that a selective monitoring approach is often used by clients due to limited resources. PMRs are prioritised based on various risk criteria that are assessed periodically and this service then creates various types of GRC Risk Management Plans )e.g. CRMPs( based on these changing priorities.

GRC-P0S-13: Provide Control of GRC Disruptors

There are four primary GRC disruptors that our service is designed to help clients manage in an integrated way – risk events, complaints, changes to operating models and external

regulatory obligations. This is part of the Action stage of the PARA Monitoring cycle as these disruptors can happen at any time and the business needs to be set up to tackle them as an integral part of the broader GRC Standard.

GRC-P0S-14: Provide Automated GRC Monitoring

The other half of the picture for an error free experience mentioned in GRC-POS-11 is the dashboard. This service provides for the incremental development of automated monitoring for each client. It represents the culmination of all the digitisation efforts and integration and automation engineering that is applied to deliver the GRC monitoring “nerve centre”.

GRC-P0S-15: Provide Automated GRC Reporting

An extension of Automated GRC Monitoring in GRC-POS-14 is the outputs that are flagged and reported on when certain thresholds are breached. Our design provides for the customisation of these thresholds and the details and manner in which breaches are then handled using a severity rating and escalation standard.

GRC-P0S-16: Provide a GRC Integration Hub

Automated monitoring (GRC-POS-14) relies heavily on access to the many sources of application data required for providing the feeds. It requires a rules based approach that can be applied at the source of the processing

and this introduces significant complexities that interface technology can provide incrementally through this service.

GRC-P0S-17: Provide Integration of Enterprise Solutions

Due to the enterprise nature of our GRC monitoring solution and the fact that it deals with every operating model in a company, together with the rules that drive them, an essential service is to integrate existing client enterprise solutions within the different operations that are necessary for delivering a complete solution. This is an extension of GRC-POS-16.

GRC-P0S-18: Provide Integrated GRC Task Planning & Control

There are numerous services that generate tasks that are crucial for delivery of required outcomes. This Task Planning & Control service is part of our underlying platform and provides the functionality for each service to manage the tasks that are required. It uses a unique GRC component breakdown structure so that it is possible to provide a status on efforts and the history relating to each of these components.

GRC-P0S-19: Provide Integrated GRC Forum Planning & Administration

There are various strategic forums the GRC functions support in the company that are crucial for setting direction and generating important outputs in the form of deliberations,

decisions and actions around risk. This service provides an integrated framework for how GRC functions and the governance structures work together for inputting, processing and outputting vital information to govern the company.

GRC-P0S-20: Provide a Digitised GC Desktop Assistant

Services GRC-POS-06 and GRC-POS-07 covered the digitisation of Governance Controller )GC( details and their ASCPs. This is part of the key data in our desktop assistant we call MY COMPLY that this service helps clients set up. It provides a go-to, expert system for helping GCs manage all aspects of their job and includes notifications, task reminders and other essential information directly related to their responsibilities.

GRC-P0S-21: Provide a Digitised GRC Forms Factory

To ensure consistency of approach, our GRC Standard has hundreds of forms and templates used throughout the many services in our portfolio. Attestation forms, reporting layouts, and PMR, ASCP and business control specification templates are but a few examples. This service helps clients introduce a Forms Factory with these items under strict change control.

RESOLVING CLIENT FUTURE GRC CHANGE IMPACTS

GRC-P0S-22: Provide a Digitised Future Changes Regulatory Universe (RU) Register

GRC-POS-08 covered the Current RU Register

p. 18 digit ise | integrate | automate


SUMMARY

and here we are talking about a Future Changes RU Register. Having two registers is to make sure there is a clear delineation between managing the current status quo and any material changes that arise. This service helps clients deal with all change alerts through maintenance of a Future Changes RU Register.

GRC-P0S-23: Provide Control of Digitised Regulatory Change Alerts

This service helps clients integrate 3rd party alert service provider systems with the Future Changes RU Register. All alerts are categorised, filtered and prioritised based on pre-determined client criteria. A combination of other services can then be used to help process agreed changes that are then moved into the Current RU Register once delivery is completed.

GRC-P0S-24: Provide Gap Analysis & Risk Assessment of Digitised Regulations

This is the most valuable service for ensuring change is dealt with correctly. Getting this wrong can have a lasting knock-on effect. Key features include the generation of heat maps for inherent risk, level of compliance and remediation effort for each new DLR across each individual entity, functional gaps that create a risk in each operating model impacted, details of PRSRs that are impacted, interpretation issues where the regulation is ambiguous and needs clarification, etc.

GRC-P0S-25: Provide a Register of Rulings for Digitised Regulations

This service provides a Register of Rulings for all interpretation issues relating to the legal content of any regulations. It provides a structured way of consolidating and

maximising the value of legal contributions and includes a log of proceedings that provides the due diligence for a clients’ position if challenged by a customer, regulator or the court.

GRC-P0S-26: Design & Implement Digitised Controls

During analysis of each new DLR carried out under service GRC-POS-24, details of functional gaps in business operating models, impacts to PRSRs and entities with similar impacts are captured. This service then takes the input generated and helps clients design, build and implement business controls that are kept under change control.

GRC-P0S-27: Design & Implement Digitised Early Warning Advance Controls (EWACs)

This is a service that relies on continuous learnings built into the review aspect of our PARA Monitoring Cycle, where errors, mistakes, disruptions and unforeseen events are the basis for improvement. Designing EWACs to flag these potentially damaging events is key for any business and is underpinned by our prevention quality principles built into this service.

CLIENTS EMBARKING ON A GRC DIGITISATION JOURNEY

GRC-P0S-28: Establish a GRC Digitisation Strategy

By using our bespoke methodology, this

service digitises planning details and drives periodic reviews of the GRC strategy, to help clients maintain alignment of costs, efforts and outcomes and to ensure positive progress and meaningful results. It creates a powerful opportunity for clients to understand the GRC agenda in the global context through research input we provide and to align their efforts accordingly.

GRC-P0S-29: Build a GRC Digitisation Capability

There is a lot of value in the detail of our GRC Standard that will become more evident to clients as they have time to assimilate the full extent of each service. The more business-specific content that is digitised as services are set up, the greater value is created and more benefits to business are realised. This service focusses on making sure the client receives the necessary training on a scalable basis as take-on occurs.

GRC-P0S-30: Project Manage GRC Digitisation Initiatives

A key outcome of our approach is that the client will gain the knowledge transfer to be able to drive the projects that deliver the GRC Standard’s Portfolio of Services and reduce dependencies. This service ensures that during the process of achieving this self-sufficiency, TOSMS is available to drive the changes for the client and mentor those key resources that will be responsible for championing the new standard into the future.

p. 20 digit ise | integrate | automate


SUMMARY

p. 22

Flexibility

Interchangeable components allow you to replace any component without rework required in other components.

Database (DB) abstraction

In line with modern practice and philosophy, DB abstraction means that the MySQL DB the solution is built on, can be replaced with any other leading DB.

Security abstraction

Security abstraction enables us to easily adopt any of the leading security concepts or services.

Extensibility

Extensibility allows us to seamlessly and easily integrate future components, e.g. the advanced document manipulation capability required for E-unpack can be integrated with ease.

Integration layer

The integration layer allows for easy integration with other client systems.

What does this mean for the Business?

• No surprises• Agility – ease and speed of change • Control over access configurations

(who can do/see what)• High pace of delivering functionality

(no more foundation work)

Benefits of the Architecture

TECHNOLOGY OVERVIEW


As - Is Analysis

• Impact analysis - Affected departments and roles - Affected business processes - Affected systems and data - Affected stakeholders

(internal and external)• As-is process designs• As-is organisational structure• As-is system architecture• Change management assessment

(propensity to change & culture)• Communication plan

To - Be Design

• New process design ( incl. Steps impacted by new system, new controls)

• Organisational structure design• Changes to roles and responsibilities

plus job specifications including software permissions

• New role definitions, capacity calculations and recruitment

• Metrics and reporting requirements• Target solution architecture (especially in

case of data interchanges• System integration design (aligned to

process design and metrics/reporting design)

• Deployment options and sequencing• Business implementation planning• Software implementation planning

- Infrastructure provisioning - Security provisioning - Security integration (SSO)

• Change management plans• Communication plan

Implementation

• Process training• Software training• Solution infrastructure provisioning• Integration development and testing• Security provisions implementation• Software deployment• Data take-on )users, departments,

permission(

IMPLEMENTATION APPROACH

p. 24

One of the major benefits of our solution is that any one, or combination, of the 30 GRC services can be set up with its enabling software due to the underlying architecture that makes this possible and allows for the incremental benefits to be derived without added database integration costs later.

As a result, we provide our pricing on a case by case basis, knowing that every client has different needs and very specific configurations that meet these needs.

As a result, pricing varies according to the extent of consulting assistance required and the nature of the solution to be implemented and consists of two main components:

Consulting and Implementation Fees

These fees are dependent on the analysis scope, level of adoption of our GRC Standard and Tools and the advisory, integration and project management services required by the client during implementation.

We cater for different levels of advisory, integration and project management skills, depending on client requirements.

Software License Fee

Here, there are two options - a Client-hosted or a Moyo-hosted solution. These have different fees that are applicable that are made up of a Platform Fee, a Per User Fee and a Maintenance Fee.

The Platform Fee is based on the system configuration.

The User Fee is determined by the number of licensed users and the system functionality that the client has chosen.

The Maintenance Fee is a factor of the combined Platform and User Fee figure.

PRICING


If you are interested in having a discussion on how T-GRCS can assist your organisation to get GRC done right, we would love to hear from you. Please call us or send us an e-mail and we will be happy to meet with you.

Our contact details in South Africa and the United Kingdom are as follows:

United Kingdom

Tim O’Hanlon +44 7527 [email protected]

South Africa

Dewald Lindeque+27 82 326 [email protected]

CONTACT US

t-grcs › wp-content › uploads › 2020 › ... · addressing uncertainty while achieving their...

Documents